24 January 2011

Pragmatic ethics

Is it ethically acceptable for workers to pinch the odd pencil or Post-It note from work, or is this just the thin end of the wedge that leads to fraud, theft, corruption, Enron and Global Economic Meltdown?

It's a tricky issue when you factor in the difficulties of writing and enforcing corporate policies on ethics, the effects these have on the workforce, and the prospect of tacitly or even formally endorsing unethical and perhaps illegal behaviours through weak policies and lax attitudes towards compliance. It's also a cultural issue, which makes it fuzzy and complex both to characterise and even more so to address.

In the information security context, an obvious illustration of ethical ambiguity concerns the passing-on of proprietary information by former employees to their new employers. We've all done it to varying extents, though most of us would justify it by referring to "experience" rather than admitting to any overt misuse of intellectual property, oh no. The former employer may well be concerned at being drained of valuable assets in this way (and many try to clarify and codify their concerns in employment contracts, policies, even non-compete agreements and exit interviews), but at the same time they are only too pleased to take on "experienced" new employees. OK so employers may refuse to exploit a new employee's specific knowledge of a competitors strategies, products or processes in such terms, but benefitting from their general expertise and knowledge is universally accepted as fair game.

Where should we draw the line dividing ethical/acceptable from unethical/unacceptable behaviours? Some argue passionately that it is a mistake even to attempt to draw ethical dividing lines in this way. One suggestion is to 'embrace ambiguity', relying on strong, ethical leadership practices to guide the corporate culture instead of voluminous ethic policies, codes of practice and the like. Taking that a stage further, shouldn't we be using ethics, honesty, integrity and trustworthiness as factors in selecting new employees, especially for privileged and trusted positions that clearly demand them? If a candidate appears willing to disclose confidential proprietary information from former employers in a job interview, the likelihood is that they will do the same thing when they move on to subsequent jobs, perhaps even while still employed. Do you really want to take on the liability?

Comments

Pragmatic ethics

Is it ethically acceptable for workers to pinch the odd pencil or Post-It note from work, or is this just the thin end of the wedge that leads to fraud, theft, corruption, Enron and Global Economic Meltdown?

It's a tricky issue when you factor in the difficulties of writing and enforcing corporate policies on ethics, the effects these have on the workforce, and the prospect of tacitly or even formally endorsing unethical and perhaps illegal behaviours through weak policies and lax attitudes towards compliance. It's also a cultural issue, which makes it fuzzy and complex both to characterise and even more so to address.

In the information security context, an obvious illustration of ethical ambiguity concerns the passing-on of proprietary information by former employees to their new employers. We've all done it to varying extents, though most of us would justify it by referring to "experience" rather than admitting to any overt misuse of intellectual property, oh no. The former employer may well be concerned at being drained of valuable assets in this way (and many try to clarify and codify their concerns in employment contracts, policies, even non-compete agreements and exit interviews), but at the same time they are only too pleased to take on "experienced" new employees. OK so employers may refuse to exploit a new employee's specific knowledge of a competitors strategies, products or processes in such terms, but benefitting from their general expertise and knowledge is universally accepted as fair game.

Where should we draw the line dividing ethical/acceptable from unethical/unacceptable behaviours? Some argue passionately that it is a mistake even to attempt to draw ethical dividing lines in this way. One suggestion is to 'embrace ambiguity', relying on strong, ethical leadership practices to guide the corporate culture instead of voluminous ethic policies, codes of practice and the like. Taking that a stage further, shouldn't we be using ethics, honesty, integrity and trustworthiness as factors in selecting new employees, especially for privileged and trusted positions that clearly demand them? If a candidate appears willing to disclose confidential proprietary information from former employers in a job interview, the likelihood is that they will do the same thing when they move on to subsequent jobs, perhaps even while still employed. Do you really want to take on the liability?

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org